Summary

Critical Infrastructure Protection: Comments on the National Plan for Information Systems Protection

T-AIMD-00-72  February 1, 2000

Full Report (PDF, 13 pages)   

Government officials are increasingly concerned about computer attacks from individuals and groups with malicious intentions, including terrorists and nations engaging in information warfare. The dramatic rise in the interconnectivity of computer systems has compounded this threat. Today, massive computer networks provide pathways among systems that, if not properly secured, can be used to gain unauthorized access to data and operations from remote locations. The National Plan for Information Systems Protection calls for strengthening the defenses against threats to critical public and private-sector computer systems--particularly those supporting public utilities, telecommunications, finance, emergency services, and government operations. The Plan is intended to begin a dialogue and help develop plans to protect other elements of the nation's infrastructure, including the physical infrastructure and the roles and responsibilities of state and local governments and private industry. In GAO's view, the Plan is an important and positive step toward building the cyber defenses necessary to protect critical information and infrastructures. It (1) identifies the risks arising from the nation's dependence on computer networks for critical services, (2) recognizes the need for the federal government to take the lead in addressing critical infrastructure risks and to serve as a model for information security, and (3) outlines key concepts and general initiatives to help achieve these goals. Opportunities exist, however, to improve the plan and address significant challenges to building the public-private partnership necessary for comprehensive infrastructure protections. GAO believes that, rather than emphasizing intrusion detection capabilities, the plan should strive to provide agencies with the incentives and the tools to implement the management controls essential to comprehensive computer security programs. Also, the plan relies heavily on legislation and requirements already in place that, as a whole, are outmoded and inadequate as well as poorly implemented by the agencies.

Subject Terms

Computer networks
Computer protection software
Computer security
Data integrity
Homeland security
Information resources management
Information security
Information systems
Internal controls
Joint ventures
Strategic information systems planning
Terrorism
Terrorists
Critical infrastructure protection